Message ID | 97a6a1c557f0f1e6d55d8d09b326f8b1@nuclearcat.com |
---|---|
State | Awaiting Upstream, archived |
Delegated to: | David Miller |
Headers | show |
On Mon, Nov 28, 2016 at 12:45:59PM +0200, Denys Fedoryshchenko wrote: > Hello, > > I noticed that if i specify -j SNAT with options --random --random-fully > still it keeps persistence for source IP. So you specify both? > Actually truly random src ip required in some scenarios like links balanced > by IPs, but seems since 2012 at least it is not possible. > > But actually if i do something like: > --- nf_nat_core.c.new 2016-11-28 09:55:54.000000000 +0000 > +++ nf_nat_core.c 2016-11-21 09:11:59.000000000 +0000 > @@ -282,13 +282,9 @@ > * client coming from the same IP (some Internet Banking sites > * like this), even across reboots. > */ > - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) { > - j = prandom_u32(); > - } else { > - j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32), > + j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32), > range->flags & NF_NAT_RANGE_PERSISTENT ? > 0 : (__force u32)tuple->dst.u3.all[max] ^ zone->id); > - } > > full_range = false; > for (i = 0; i <= max; i++) { > > It works as intended. But i guess to not break compatibility it is better > should be introduced as new option? > Or maybe there is no really need for such option? Why does your patch reverts NF_NAT_RANGE_PROTO_RANDOM_FULLY?
--- nf_nat_core.c.new 2016-11-28 09:55:54.000000000 +0000 +++ nf_nat_core.c 2016-11-21 09:11:59.000000000 +0000 @@ -282,13 +282,9 @@ * client coming from the same IP (some Internet Banking sites * like this), even across reboots. */ - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) { - j = prandom_u32(); - } else { - j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32), + j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32), range->flags & NF_NAT_RANGE_PERSISTENT ? 0 : (__force u32)tuple->dst.u3.all[max] ^ zone->id); - } full_range = false;